oalabs / blobrunner Goto Github PK

View Code? Open in Web Editor NEW

538.0 14.0 81.0 75 KB

Quickly debug shellcode extracted during malware analysis

License: MIT License

C 100.00%

blobrunner's People

Contributors

Stargazers

Watchers

Forkers

totoroha m00zh33 alex-dengx vbty cys3c expertasif dmdv 0thm4n3 mrmugiwara zaza6677 cr3m de8gman1990 alximiks limkokholefork lukw00heck avgirl killvxk tim1512 b-xiang in12hacker explife0011 yoohooyoo orf53975 zan00789 team-firebugs peta909 ektoplasma crazycars imulmul fire-flying fcccode arryboom ssp4rk liorbp reversetools erich8200 5l1v3r1 m4ttless ondrik8 chertogun raystyle ith4cker xuchen201810 tuantmb enginelabs litneet64 pypypy123 0xvm kosakd fengjixuchui crackercat kernweak skepppy haidragon zha0 jeromeyoung dothanthitiendiettiende thebigplate clayne pombredanne actorexpose guancaiban 5h4d3s msf-ntdll twi1ight jorgejorgeliu jhonnymoree nero22k hxlxmjxbbxs nasa03 lyingsimon data-gami icodein arijitnaha robert-yates nvisosecurity g0mxxm 7a6570 wd-2711 babywyrm dcdelia

blobrunner's Issues

--nopause flag doesn't work for x64bit program

--nopause flag doesn't work for x64bit program.

x64 printf bug

should be

#ifdef _WIN64
printf(" [] Thread Entry: 0x%016I64x\n", shell_entry);
#else
printf(" [] Thread Entry: 0x%08I32x\n", shell_entry);
#endif // _WIN64

No 64bit support?

Looks like __asm is not supported on x64, can you help?

Could be user error or possible bug. When I go to the offset specified in the Base, IDA view > segments the base addr is only listed as the end of the allocated memory never at the start for the shellcode.
shellcode3_actual_meterpreter.zip

passwd - infected

Shellcode entrypoint address printing error

In the previous versions, the shellcode entrypoint address is printed before pressing any key to jump to the shellcode. This allows us to set a breakpoint at the shellcode entrypoint before proceeding on.

In the latest version, the shellcode entrypoint address is printed after pressing any key as shown in the screenshot above.

--autobreak flag corrupts the shellcode execution

--autobreak flag provide the injection of "int 3" instruction into the shellcode, what could corrupt the shellcode execution.

Possible solution:
set the breakpoint before the jump to shellcode execution.

Small bug in line 117

printf(" [*] Navigate to the Thread Entry and set a breakpoint. Then press any key to resume the thread.\n",entry);

This line is missing a format specifier for entry.

Prepend an INT 3 instruction

The nopause option does not seem to be useful, I'd rather prepend an INT 3 instruction that forces OllyDBG to stop

Can you do something similar to this?

LPVOID process_file(char* inputfile_name){
        ...
	buffer=(char *)malloc(fileLen+1+4); //Create Buffer
	for (i = 0; i < 3; i ++) {
		buffer[i] = 0x90;
	}
	buffer[3] = 0xCC;
	fread(buffer+4, fileLen, 1, file);  //Read file to buffer
	fclose(file);                     //Close file handle
        ...

--offset assumes base 16

blobrunner incorrectly assumes the offset input is in base 16 or hex. For example, the two commands would jump to different offsets, even though they are equivalent.

blobrunner.exe blah.bin --offset 0xC000 
blobrunner.exe blah.bin --offset 3072

Code refactoring

Provide the code refactoring:

make code bit version independent
avoid program crashes on shell code execution
avoid memory leaks
code refactoring

oalabs / blobrunner Goto Github PK

blobrunner's People

Contributors

Stargazers

Watchers

Forkers

blobrunner's Issues

--nopause flag doesn't work for x64bit program

x64 printf bug

No 64bit support?

Memory Base Allocation

Shellcode entrypoint address printing error

--autobreak flag corrupts the shellcode execution

Small bug in line 117

Prepend an INT 3 instruction

--offset assumes base 16

Code refactoring

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent